Security researchers came across a new malware, which they dubbed AcidBox, that leverages an exploit previously associated with Turla cyber espionage group.
The Turla group, also tracked as Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON, has been active since at least 2007 and has been known for its attacks against diplomatic, government organizations and private businesses in the Middle East, Asia, Europe, North and South America.
Turla was the first threat actor known to have abused a third-party device driver to disable Driver Signature Enforcement (DSE), a security mechanism first introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla exploited the signed VirtualBox driver, VBoxDrv.sys v1.6.2, to deactivate DSE and load its unsigned payload drivers afterward.
The Turla’s exploit, referred to as CVE-2008-3431, actually abuses two vulnerabilities, of which only one was patched. The second variant of the exploit abuses the unknown unpatched vulnerability.
Now, Palo Alto Networks researchers say they discovered that another threat actor, which appears to be unrelated to Turla, has been exploiting the same flaw in targeted attacks against Russian organizations.
“In February 2019, Unit 42 found that a yet-to-be-known threat actor — unbeknownst to the infosec community — discovered that the second unpatched vulnerability can not only exploit VirtualBox VBoxDrv.sys driver v1.6.2, but also all other versions up to v3.0.0,” - the researchers said. “ Furthermore, our research shows that this unknown actor exploited VirtualBox driver version 2.2.0 to target at least two different Russian organizations in 2017, which we are revealing for the first time. We anticipate this was done because the driver version 2.2.0 wasn’t known to be vulnerable and thus most likely is not on the radar of security companies being exploited. Since no other victims have been found, we believe this is a very rare malware used in targeted attacks only.”
The AcidBox malware is a complex modular toolkit and is only a part of the bigger toolkit, which researchers have yet to identify. They found three user-mode samples of the malware (64-bit DLLs that load the main worker from the Windows registry), and a kernelmode payload drive.
All the uncovered samples have the compilation timestamps of May 9, 2017. The researchers said they did not find any newer samples, so it is unknown if the malware is still in use or has been further developed.
“While AcidBox doesn’t use any fundamentally new methods, it breaks the myth that only VirtualBox VBoxDrv.sys 1.6.2 can be used for Turla’s exploit. Appending sensitive data as an overlay in icon resources, abusing the SSP interface for persistence and injection and payload storage in the Windows registry puts it into the category of interesting malware,” the research team concluded.